Well, technically, I don't think IPA needs DNS entries simply for synchronization, so
you could technically give it the same domain suffix. However, if you plan on using it for
the purpose of clients to connect, it will need to be on its own domain.
The reason it is highly suggested for different domains to have different suffixes within
DNS is because clients will 'dig' that domain for Kerberos and LDAP type records
when looking for domain servers. Something like the below, for example:
# dig -t SRV _kerberos._tcp.EXAMPLE.COM.
If this returns both AD /and/ IPA servers, your clients will have a bad time.
Sent via carrier pigeons
-------- Original message --------
From: Striker Leggette via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt;
Date: 6/14/17 8:12 PM (GMT-05:00)
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt;
Cc: Striker Leggette <striker(a)terranforge.com&gt;
Subject: [Freeipa-users] Re: FreeIPA - Active Directory integration and domain names
Yes
Sent via carrier pigeons
-------- Original message --------
From: bogusmaster--- via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt;
Date: 6/14/17 6:06 AM (GMT-05:00)
To: freeipa-users(a)redhat.com
Cc: bogusmaster(a)o2.pl
Subject: [Freeipa-users] FreeIPA - Active Directory integration and domain names
Hi,
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
scenario?
Thank you
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org